You cannot use JAAS like this. Web application you are accessing is portal itself - then it renders portlet. In your portlet application you can consume identity of user logged into portal.

You have 3 choices

1) Portlet spec lets you map role from JAAS that can be checked with isUserInRole() - then you implement restriction yourself.

2) In GateIn you can use Organization API to check user groups and restrict access to certain operations on portlet level yourself

3) In GateIn you can use app level permissions (Application Registry) or Page level restrictions to secure access to your content - therefore to access page where your portlet is user will be required to login in portal. Try going into one of portal administration pages when logged as root/gtn. Then logout and access same URL - this will be such behaviour.